last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.220' (ED25519) to the list of known hosts.
1970/01/01 00:01:28 fuzzer started
1970/01/01 00:01:28 dialing manager at 10.128.0.169:30028
[   88.458154][ T6263] cgroup: Unknown subsys name 'net'
[   88.542142][ T6270] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SS
[   88.668673][ T6263] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:01:28 starting 5 executor processes
[   89.576851][ T6286] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   89.584157][ T6287] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   89.586412][ T6287] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   89.589885][ T6286] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   89.591907][ T6289] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   89.592553][ T6286] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   89.594976][ T6289] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   89.597390][ T6286] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   89.598492][ T6289] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   89.599882][ T6286] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   89.601499][ T6289] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   89.603686][ T6286] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   89.606430][ T6289] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   89.610516][ T6289] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   89.613017][ T6289] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   89.624930][ T6289] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   89.634298][ T6289] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   89.645649][ T6289] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   89.651600][ T6287] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   89.654490][ T6287] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   89.656827][ T6287] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   89.659244][ T6287] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   89.661459][ T6287] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   89.664136][ T6287] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   89.666913][ T6287] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   89.669351][ T6287] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   89.671245][ T6289] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   89.671690][ T6287] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   89.676239][ T6287] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   89.678671][ T6287] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   89.683912][ T6289] ==================================================================
[   89.686046][ T6289] BUG: KASAN: double-free in kfree_skbmem+0x15c/0x1ec
[   89.687786][ T6289] Free of addr ffff0000ec0103c0 by task kworker/u9:4/6289
[   89.689632][ T6289] 
[   89.690235][ T6289] CPU: 1 PID: 6289 Comm: kworker/u9:4 Tainted: G        W          6.10.0-rc2-syzkaller-g8867bbd4a056 #0
[   89.693102][ T6289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   89.695755][ T6289] Workqueue: hci4 hci_rx_work
[   89.696925][ T6289] Call trace:
[   89.697734][ T6289]  dump_backtrace+0x1b8/0x1e4
[   89.698943][ T6289]  show_stack+0x2c/0x3c
[   89.699993][ T6289]  dump_stack_lvl+0xe4/0x150
[   89.701200][ T6289]  print_report+0x198/0x538
[   89.702335][ T6289]  kasan_report_invalid_free+0xc4/0x118
[   89.703753][ T6289]  poison_slab_object+0x140/0x180
[   89.705098][ T6289]  __kasan_slab_free+0x3c/0x70
[   89.706307][ T6289]  kmem_cache_free+0x178/0x4e4
[   89.707549][ T6289]  kfree_skbmem+0x15c/0x1ec
[   89.708711][ T6289]  kfree_skb_reason+0x1c8/0x4a4
[   89.709928][ T6289]  hci_req_sync_complete+0xb0/0x248
[   89.711276][ T6289]  hci_event_packet+0xab8/0x105c
[   89.712543][ T6289]  hci_rx_work+0x318/0xa78
[   89.713659][ T6289]  process_one_work+0x7b0/0x15e8
[   89.714939][ T6289]  worker_thread+0x938/0xef4
[   89.716095][ T6289]  kthread+0x288/0x310
[   89.717161][ T6289]  ret_from_fork+0x10/0x20
[   89.718342][ T6289] 
[   89.718979][ T6289] Allocated by task 52:
[   89.719995][ T6289]  kasan_save_track+0x40/0x78
[   89.721184][ T6289]  kasan_save_alloc_info+0x40/0x50
1970/01/01 00:01:29 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   89.722561][ T6289]  __kasan_slab_alloc+0x74/0x8c
[   89.723760][ T6289]  kmem_cache_alloc_noprof+0x1c0/0x350
[   89.725217][ T6289]  skb_clone+0x1c8/0x330
[   89.726297][ T6289]  hci_cmd_work+0x174/0x568
[   89.727539][ T6289]  process_one_work+0x7b0/0x15e8
[   89.728853][ T6289]  worker_thread+0x938/0xef4
[   89.730032][ T6289]  kthread+0x288/0x310
[   89.731148][ T6289]  ret_from_fork+0x10/0x20
[   89.732271][ T6289] 
[   89.732869][ T6289] Freed by task 6293:
[   89.733908][ T6289]  kasan_save_track+0x40/0x78
[   89.735128][ T6289]  kasan_save_free_info+0x54/0x6c
[   89.736375][ T6289]  poison_slab_object+0x128/0x180
[   89.737704][ T6289]  __kasan_slab_free+0x3c/0x70
[   89.738939][ T6289]  kmem_cache_free+0x178/0x4e4
[   89.740231][ T6289]  kfree_skbmem+0x15c/0x1ec
[   89.741357][ T6289]  kfree_skb_reason+0x1c8/0x4a4
[   89.742600][ T6289]  __hci_req_sync+0x4e8/0x798
[   89.743819][ T6289]  hci_req_sync+0xa0/0xcc
[   89.744934][ T6289]  hci_dev_cmd+0x304/0x8c0
[   89.746048][ T6289]  hci_sock_ioctl+0x4b8/0x7e4
[   89.747306][ T6289]  sock_do_ioctl+0x134/0x2d0
[   89.748528][ T6289]  sock_ioctl+0x4ec/0x838
[   89.749673][ T6289]  __arm64_sys_ioctl+0x14c/0x1c8
[   89.750901][ T6289]  invoke_syscall+0x98/0x2b8
[   89.752086][ T6289]  el0_svc_common+0x130/0x23c
[   89.753290][ T6289]  do_el0_svc+0x48/0x58
[   89.754364][ T6289]  el0_svc+0x54/0x168
[   89.755410][ T6289]  el0t_64_sync_handler+0x84/0xfc
[   89.756688][ T6289]  el0t_64_sync+0x190/0x194
[   89.757855][ T6289] 
[   89.758481][ T6289] The buggy address belongs to the object at ffff0000ec0103c0
[   89.758481][ T6289]  which belongs to the cache skbuff_head_cache of size 240
[   89.762240][ T6289] The buggy address is located 0 bytes inside of
[   89.762240][ T6289]  240-byte region [ffff0000ec0103c0, ffff0000ec0104b0)
[   89.765610][ T6289] 
[   89.766200][ T6289] The buggy address belongs to the physical page:
[   89.767892][ T6289] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c010
[   89.770179][ T6289] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
[   89.772081][ T6289] page_type: 0xffffefff(slab)
[   89.773267][ T6289] raw: 05ffc00000000000 ffff0000c1bcc780 dead000000000122 0000000000000000
[   89.775513][ T6289] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[   89.777788][ T6289] page dumped because: kasan: bad access detected
[   89.779445][ T6289] 
[   89.780042][ T6289] Memory state around the buggy address:
[   89.781466][ T6289]  ffff0000ec010280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   89.783475][ T6289]  ffff0000ec010300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   89.785665][ T6289] >ffff0000ec010380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   89.787773][ T6289]                                            ^
[   89.789467][ T6289]  ffff0000ec010400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.791492][ T6289]  ffff0000ec010480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   89.793596][ T6289] ==================================================================
[   89.802941][ T6289] Disabling lock debugging due to kernel taint